4 Dec
2003
4 Dec
'03
12:24 p.m.
Shouldn't 'commercial grade' firewalls support SIP/RTP? I know cisco
firewalls doing SIP and NAT traversal very well.
Klaus
-----Original Message-----
From: Hans Eriksson [mailto:hansa@mac.com]
Sent: Thursday, December 04, 2003 6:13 PM
To: Klaus Darilion
Cc: <serusers(a)lists.iptel.org>
Subject: Re: [Serusers] symmetric nat/ broadband routers
Klaus,
Many commersial grade firewalls do not keep sessions alive,
regardsless
of external pings, so it won't work in rather too many cases.
Also, assuming many users (10k, 100k) doing natpings will be heavy.
But alas, NATs are a hack and maybe the only remedies will also be
hacks, with all the pros and cons.
cheers
/hans
4 dec 2003 kl. 17.43 skrev Klaus Darilion:
Yes, the ports at the client are identical, but
the NAT router uses
other ports at the public interface, e.g. if the client
behind the NAT
uses port 5060 for SIP (send&receive), the
NATs publice
interface may
user for example port 50000. Therefore, the
client listen
on port 5060,
but the packets have to be sent to port 50000 of
the public
IP address
and then the NAT router rewrites the port back to
5060. Hence, the
nathelper modules rewrites the IP address and the port in
the contact
header before saving them in the location
database.
If the session in the NAT router times out although using natping,
thats
a pit. Maybe it helps to ping the proxy from the client, e.g. the
budgetone phones support keep alive pinging.
Klaus